Domain Join Rights

1 assign rights to the user group using the default domain group policy.

Domain join rights. Then on the restart notice click ok. When setting up the account in a configmgr task sequence to join the new computer account to the domain you must give that account rights in order for it to work. It is not a security best practice to use a domain admin account for joining systems to the domain as this is a domain wide account with access to every server and computer typically.

Then it will return a welcome screen. Its supposed to be this object and all descendant objects and then select create computer objects delete computer objects. And the service account would automatically add every vm that it makes using add computer.

Domain join account minimum rights this falls under another one of those items that i have had in my private notes for a while but can t remember where i found it. Under computer name domain and workgroup settings click change settings. Here s how you delegate the permissions.

When you apply this permission to computer objects it applies only to computer objects not ous hence it prevents domain joining. Which authorizations are necessary to join a computer to a ad domain. When you return to system properties click close.

Delegating domain join access is quite a simple task to do in windows server using the delegation of control. Right click the desired domain and select delegate control. Or delegate rights using active directory users and computers.

Then you can restrict domain user accounts from joining the domain and just have the service account and your support techs with the right. Also domain admin accounts usually have access to many other windows resources within the active directory domain. Finally click restart now.